Re: [Full-disclosure] [ Capture Skype trafic ]
On 10/28/06, gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: > On Sat, Oct 28, 2006 at 11:24:40AM +0200, Cedric Blancher wrote: > > Have you ever header of Skype API that basicly allows two application to > > communicate on top of Skype network, thus inheriting Skype resilience, > > encryption, obfuscation and firewall punching capapbilities ? > > I don't see how this isn't still an HR problem. It is an HR problem. It's also an IT problem. Neither group can solve the issue without help from the other. And both groups need buy-in from the rest of the organization if they expect to make the solution stick. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple websites iframe vulnerability
I am writing to you these lines in order to inform you of the latest security research results regarding iframe spoofing, available at - eof-project.net - What you will find is a list of 70 websites vulnerable to iframe spoofing attacks. The websites are mostly german and 30 of those sites are bank sites. Together with the above mentioned information you will also find an example showing how this vulnerability can be easily used for phishing attacks. Yours, SkyOut/EOF-Project/Helith ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
--- Nick FitzGerald <[EMAIL PROTECTED]> wrote: > gabriel rosenkoetter to me: > I wouldn't want to work in an IT department of a company where > setting > the policy of what is acceptable code to run on the computers I > managed > was any of HR's business. Then you have never worked in a real organization. IT is just another wrench, HR's job is to tell you how to wield it. Sure it makes sense to mitigate a lot of the risk via technical measures but when all is said and done, policy and the culture it represents is what keeps you secure, not your technical measures (speaking of inside threats here which is what skype is). -Peter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
gabriel rosenkoetter to me: > > Final enforcement may be an HR problem, [...] > > Both setting the policy for acceptable use and enforcing that policy > are HR's problem. I wouldn't want to work in an IT department of a company where setting the policy of what is acceptable code to run on the computers I managed was any of HR's business. If your "acceptable to use programs" policy is ONLY governed by an HR policy then YOU HAVE MUCH BIGGER PROBLEMS. There ARE technological solutions to the "what code shall we allow to run on this machine" problem. Sadly there are not more and better such solutions but there are some such solutions and any corporate IT system not devised without their use (i.e. _most_ corporate It is systems) is an inadequate system... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Signature for new bot?
I recognize that there has been an upswing in spam, and that a large part of this is botnets. I have also heard of a few people seeing entries such as the following in their logs. POST http://mtrap.freenet.de:25 HTTP/1.0 with response code(s) 200 Is this familiar? I don't (yet) know of a tool that might cause this particular entry (although my search has not yet been exhaustive). I'd be interested in details, if others have seen this. Please, just reply here. Unless there are very compelling reasons not to, I will reply on Full Disclosure even if your email is private. -- It's Full Disclosure. Post the disclosure here, not on your website. You may not have a web site tomorrow. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
Le samedi 28 octobre 2006 à 11:53 -0400, gabriel rosenkoetter a écrit : > I don't see how this isn't still an HR problem. Ressources usage will definitly end-up in HR problem, but that does not mean you don't have to filter. There are technical means to block execution of arbitrary applications, as pointed out before, and that's just an example of what can be done from a technical perspective. Sometimes, you can consider risk low so you can let education deal with it for you. Sometimes you can't. I think Skype may induce risks that I wouldn't let to education alone. As a more general matter and as you said before, filtering will never work by itself, but it also applies to education. Education is not sufficient, or we would have noticed it before. And if users security is all about HR, and I really don't understand why we put so much protection around what they do... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
On Sat, Oct 28, 2006 at 10:58:38AM +1300, Nick FitzGerald wrote: > Final enforcement may be an HR problem, [...] Both setting the policy for acceptable use and enforcing that policy are HR's problem. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpn0ticCW8QM.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far) (fwd)
1,$s/computer/Windows machine/ Geez, you would think that they would at least identify the OS. You might also think that they would point out that this exploit was discovered in November, 2003. Regards Marshall On Oct 24, 2006, at 6:27 PM, Gadi Evron wrote: > So, here we go. Real-life uses for vulnerabilities. > > Below is an example of just ONE "drop-zone" server in the > United States, which has "600 financial companies and banks". > > Several gigs of data. > > How do these things work? > > They get installed by the use of a web vulnerability, an email > attachment > of network scanning, utilizing several vulnerabilitie. > > One drop zone, and all this noise gets made. I am very happy to > hear that > the UK police (which are good people) are doing something about this, > however, banks, eCommerce sites, dating sites, etc. all get > attacked by > these things, by the users being infected. > > These trojan horses use rootkit technology, with a hook, using man > in the > middle attacks to bypass the SSL encryption, and steal any HTTPS > credentials they come across. > > These things are so wide-spread, this news item made me raise my > eye-brow, > at first. > > So, knowing full-well security is out of our hands, and relies on the > security of our users. Knowing full-well that the same technology > can be > used to bypass 2-factor authentication, how do organizations handle > their > own security, if they are to have clients? > > The point is, though, that this is a well planned operation, with new > samples being released with new vulnerabilities to exploit, > constantly. This should not be considered a "one time cease" or a > "lost > laptop containing private data". > > This is what vulnerabilities are about - the damage and operations > they > are used for. > > Gadi. > > -- Forwarded message -- > Date: Tue, 24 Oct 2006 21:24:20 GMT > From: Fergie <[EMAIL PROTECTED]> > To: funsec@linuxbox.org > Subject: [funsec] Haxdoor: UK Police Count 8, > 500 Victims in Data Theft (So Far) > > Via InfoWorld. > > [snip] > > British electronic-crime detectives are investigating a massive data > theft operation that stole sensitive information from 8,500 people in > the U.K. and others in some 60 countries, officials said Tuesday. > > In total, cybercriminals targeted 600 financial companies and banks, > according to U.K. authorities, who have worked over the past week to > identify and notify victims. > > Through intelligence sources, U.K. police were given several gigabytes > of data -- around 130,00 files -- that came from a server in the U.S., > said Charlie McMurdie, detective chief inspector for the Specialist > Crime Directorate e-Crime Unit of the London Metropolitan Police. Most > of the data related to financial information, she said. > > The data was collected by a malicious software program nicknamed > Haxdoor that infected victims' computers. Some 2,300 machines were > located in the U.K. McMurdie said. > > [snip] > > More: > http://www.infoworld.com/article/06/10/24/HNukdatatheft_1.html > > - ferg > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > ___ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Asteroid SIP Denial of Service Tool
Asteroid is a SIP denial of service attack tools which affected older versions of Asterisk the Open Source PBX and may affect other products running the SIP protocol. There are thousands of custom (mis)crafted SIP packets which were sent to a older versions of Asterisk that caused errors stopping Asterisk. The packets were crafted based on packetdumps from Wireshark with flags set for pseudo-spoofing, ranDUMBized extensions, etc.. The purpose of the tool was to help me understand SIP security and Denials of Service attacks on the SIP protocol. Originally I had intended on testing out my nCite Session Border Controller but after watching nCite crash and burn on its own, it made little sense for me to point it at it. I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it crashed faster, sometimes more extensions subscribed, sometimes voicemails were created and the list went on. Asterisk version 1.2.13 and better are now patched from this issue but there are other products it has not been tested on. The packets were butchered in Perl and called from a shell script since I had to manipulate packet sequences individually. This Proof of Concept program is released to the public under the hopes that individuals will find a useful purpose for assessing DoS vulnerabilities. It is unfortunate though that there are idiots who will use this lame tool for malicious purposes. Some vendors, CERT and other organizations were contacted as early as September 9th 2006 to address issues with their products. Most reacted quickly to get the fixes in order. Thanks to Kevin P. Flemming and the guys on Asterisk Dev for creating a thread on this. Dan York for getting some to pay attention. PSIRT at Cisco for looking into this, Tim Donahue for his perl pointers, vgersh99 (aka vlad) for nawk foo pointers, PHV, Annihilannic, p5wizard (segment!), and Henning Schulzrinne for taking a look at the tool during his seminars at Columbia. Also thanks to Anthony LaMantia, Tzafir Cohen, and the others on the dev list for tolerating my posts. Public apologies to Jay R. Ashworth for my mis-reading of the "(Missed)Trust in Caller ID" thread on VOIPSA ;) Coming 10/31/2006 http://www.infiltrated.net/asteroid/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
On Sat, Oct 28, 2006 at 11:24:40AM +0200, Cedric Blancher wrote: > Have you ever header of Skype API that basicly allows two application to > communicate on top of Skype network, thus inheriting Skype resilience, > encryption, obfuscation and firewall punching capapbilities ? I don't see how this isn't still an HR problem. Unless you're concerned about infected systems communicating in this way as part of a zombie network? In that case, your vector to fix it is dealing with your broken virus checking. Setting up network filtering to keep your internal users from doing something, rather than persuading them that they should not do that, will never, ever work. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpqgXgKsQTex.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Removing Hidden fields automatically in Paros
HiFor all those application testers out there that use PAROS Proxy who are as lazy as meI thought I would share a tip on how I set Paros to automatically remove hidden field tags in PAROS(also usable on other proxies) in tools, filter menuset the http body response checkboxand set the search pattern to betype\s*=\s*["']?hidden["']?no need to set the replace fieldnow browse a web page with hidden fields I must admit I rely on the above so much that I am not sure if it misses any hidden tagsI suppose I could compare it with a find all 'hidden' words and compare body responseMy wish list for PAROS would be allow multiple filters per http sectionsave the above filters so that I do not need to enter it every time I use PAROSmanually set user agent rather than use PAROS drop down (google bot goes to places I can not) and it gets annoying setting the http request header filters as well Anybody have any other techniques they would like to share on PAROS or other proxy?? I would definitely like a RELIABLE way to convert html select statements to input statments - another regex along the lines of this perl regex (probably useless on scripted select controls that many pages create on the fly)/]*?(name\s*=\s*["']?([^"'\s]+)["']?\s+).*?<\/select>/$2/ims TIA & RgdsRichard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] blocking GIF, PNG and JPG with MIME
MIME GIF sig: R0lGODlh MIME PNG sig: iVBORw0KGgoN MIME JPG sig: /9j/4AAQSkZJRgABAQ How to use: Check the BODY of the message for the strings above. A match indicates the message has an image attached, which u can then block if desired. More: http://seclists.org/fulldisclosure/2004/Dec/0526.html Stu --- Stuart Udall stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
Le vendredi 27 octobre 2006 à 16:53 -0400, gabriel rosenkoetter a écrit : > (That said... keeping people from using Skype on a corporate network > is an HR problem, not a network management/security problem, > methinks, just like any P2P software.) Have you ever header of Skype API that basicly allows two application to communicate on top of Skype network, thus inheriting Skype resilience, encryption, obfuscation and firewall punching capapbilities ? -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/